Made Purple Ltd

Purple Post Secure email and IM platform

Purple Post is a secure email and instant messaging system that allows residents the ability to have email, instant messaging or physical mail delivered to them in prison or secure-hospitals via an application that is intuitive and easy to use.
The system also helps with legal mail delivery and processing.

Features

• Secure cloud based access
• Real time reporting
• easy to search catalogue
• Set flags to ensure security is maintained
• On site printing option
• At scale BI tools available upon request
• Image validation
• Keywords alerts
• Sentiment analysis, foreign language detection & translation
• Custom approval flows for the most at-risk prisoners

Benefits

• Easily allow the public to send in quality images
• Ensure the images are do not contain adult material
• Receive mail from a trusted impartial source
• Create a catalogue of mail received
• Easily scan mail content before its even delivered to site
• Digitalise the mail process
• Reduce the time taken to scan mail

£295 a licence a month

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at George@madepurple.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 13

Service ID

831335283352739

Contact

George Kyriacou
01842558121
George@madepurple.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Purple MDM; Purple OS
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: Access to a secure web portal via internet browser is required
• System requirements: Broadband

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Business hours only See Support Plans
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Standard support plans are email and telephone support during business hours only there are no guaranteed response times offered however we will do our best to support you as quickly as possible.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: A unique login would be provided to your security department and your post room teams, Security teams will have the ability to set up flags and post room staff will have the ability to flag up / review items of post before they arrive.
• Service documentation: No
• End-of-contract data extraction: Users who have the correct permissions can extract data from the management portal. The data files that are exported will be encrypted using PGP.
• End-of-contract process: Made Purple will destroy all information from the sites environment and it will be permanently removed. Users will have access to all data that they are the controllers of for 93 days beyond the contract end date. There are no end of contract or data extraction charges.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: Yes
• Compatible operating systems:
  • Android
  • IOS
  • Linux or Unix
  • MacOS
  • Windows
  • Other
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Fully functionality is available on both mobile and desktop applications.
• Service interface: No
• User support accessibility: WCAG 2.1 A
• API: No
• Customisation available: Yes
• Description of customisation: All security settings within the Purple Post system are configurable and customisable.

Scaling

• Independence of resources: Our services are designed to be highly available and will auto-scale based on demands and traffic patterns. The service has been thoroughly stress tested . All services are load balanced and have health checks for target groups. We utilise multiple data centres in the London Region to load traffic and to make sure there is no single point of failure in our system.

Analytics

• Service usage metrics: Yes
• Metrics types: We measure the number of items sent to establishments; number of contacts receiving items; number of flags triggered; number of inappropriate content blocked; At scale BI tools available upon request
• Reporting types:
  • Real-time dashboards
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest: Physical access control, complying with CSA CCM v3.0
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Data can be exported directly from the web portal.
• Data export formats:
  • CSV
  • ODF
  • Other
• Other data export formats: .txt
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: System availability can be guaranteed provided a set criteria are met, Upon detection of a system outage, we immediately move to rectify the issue and aim to resolve it within 72 hours.
• Approach to resilience: Made Purple is an ISO27001 accredited organisation and has full continuity and disaster recovery management plans in place which have been independently audited. Further information available on request.
• Outage reporting: There are multiple ways you can receive alerts: ; 1. Email alerts ; 2. Slack or Teams integration ; 3. Using our API with webhooks

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Management interfaces are restricted either to Made Purple Ltd staff and approved sub-contractors or, if required for the function of the service, limited to authorised users of the service.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: User-defined

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: ACM-CCAS (UKAS)
• ISO/IEC 27001 accreditation date: 14-07-2020
• What the ISO/IEC 27001 doesn’t cover: The full scope of this product is covered by the certification
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • Cyber Essentials Plus
  • Check Certified Penetration Test Carried out annually

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: The data we store in AWS databases (London only) and storage is encrypted at rest with TDE (transparent data encryption) and while in transit using TLS. Policies are enforced by restricting access to virtual machines, databases and any administrative portals. User accounts can be revoked once a person leaves or is no longer associated with the project. All databases are protected by firewall with IP whitelisting rules.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We use the Software Assurance Maturity Model (SAMM) to manage configuration and change within our services, utilising Infrastructure as code (IaC) so that configuration and change can be identified, controlled and automated. We use Rolling updates and A/B testing to ensure changes are fit for purpose. Automated tests are built into our CI/CD pipeline to test the functionality, security and resilience of our system which includes fuzz testing, vulnerability scans and static code analysis. We use a comprehensive SIEM solution which provides monitoring, detection, and alerting of security events, anomalies, infrastructure changes and incidents.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We use a comprehensive SIEM solution which provides monitoring, detection, and alerting of security events, anomalies, software vulnerabilities, file integrity monitoring as well as cloud configuration issues. All logs are fed in to our SIEM solution so we have real time tracking of security incidents. All machines contain an agent to track software versions which are checked against CVE's as published by NVD and other sources such as OS security feeds. Upon detection of a vulnerability, we immediately move to patch the issue and aim to resolve any vulnerability within 48 hours.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: We use a comprehensive SIEM solution which provides monitoring, detection, and alerting of security events, anomalies, infrastructure changes and incidents. All logs are fed into this system. We also employ sophisticated industry standard software provided by AWS to monitor our systems for potential compromises, and proactively monitor logs relating to other services not covered by automated threat detection. Upon detection of a potential compromise, we immediately move to patch the or respond to the issue and aim to remove or patch any compromised system within 48 hours.
• Incident management type: Supplier-defined controls
• Incident management approach: We have pre-defined processes in place for common incidents such as compromised user accounts or the detection of suspicious activity. These processes are commensurate with the severity of the incident.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Fighting climate change:

  Fighting climate change

  Climate change is something that the Made Purple team take incredibly seriously, which is one of the reasons we have selected AWS as our UK data centre. AWS has a long-term commitment to use 100% renewable energy. When using AWS Cloud rather than on-premises infrastructure, you typically reduce carbon emissions by 88% because larger data centres can offer environmental economies of scale. Organisations generally use 77% fewer servers, 84% less power, and tap into a 28% cleaner mix of solar and wind power in the AWS Cloud versus their own data centres.
• Covid-19 recovery:

  Covid-19 recovery

  To Aid in the UK recovery of Covid-19 we have implemented a number of policies that provide our team members with flexible and favourable working arrangements that allows for them to take time off when needed to care for those close to them who may be shielding. We encourage our team to to use our in house built mindfulness applications and have implemented remote working policies for members of the team that may be unable to return to the workplace fully.
• Tackling economic inequality:

  Tackling economic inequality

  Made Purple encourage our team members to seek out and take advantage of the companies training and improvement policy which helps our team members to take part in a range of courses and up-skill themselves at their own pace.
• Equal opportunity:

  Equal opportunity

  As an equal opportunities employer Made Purple's employment policy states: Your gender, your skin colour, your gods, your sex life, or your best friends great grand mother make absolutely no difference here. If you’re smart, have a positive attitude with a willingness to learn as well as a true desire to serve our system users to the very best of your ability every single day, well, come as you are.
• Wellbeing:

  Wellbeing

  The wellbeing of the Made Purple team is paramount to our success and vital to ensure that we are delivering world class service to our customers and our system users. As a technology company we are well aware that physical activity during the working day can be difficult, which is why we encourage the use of stand up desks and support all team members with their physical goals providing additional time off for events such as marathons and mountain climbs. Mental wellbeing is also taken incredibly seriously within Made Purple, so much so that we have developed our very own mind fullness application that our staff can use for breathing exercises as well as guided / un-guided meditation. We keep our team fully updated in terms of current and future contracts to help provide them with an understanding of the companies activities and ensuring that they are fully trained and able to move onto a new contract should the contract they are working with come to an end. This we believe helps our team members to feel comfortable and confident with their Job security which is one of the top 5 reasons for stress within the technology sector.

Pricing

• Price: £295 a licence a month
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: 3 month free trail available,; Access to the purple post dashboard and full service access

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

• Modern Slavery statement

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at George@madepurple.com. Tell them what format you need. It will help if you say what assistive technology you use.